USSD Code dialling exploits


The recent disclosure of the finding that many phones respond to USSD dial strings in a tel: html markup without requiring any user input has recently been demonstrated.

The issue comes from the tel: html markup, that the phone will automatically execute a USSD command embedded in a tel link.

The Samsung S series has some powerful hidden codes, including one that will reset the phone to factory default *2767*3855#

The html string <iframe src=”tel:*%2306%23″/>  will display the IMEI, but if the code above is used this resets the phone. My experience suggests that most phones have secret codes that perform these sorts of actions. It only remains for these to be discovered for much wider exploitation.

Normally when a tel: prompt is encountered this just populates the dial number field and the user would then need to hit call to initiate the call. Some USSD codes do not require this, all phones should respond to the *#06# string with the IMEI of the phone.

Video of the presentation: http://www.youtube.com/watch?v=Q2-0B04HPhs

There is a test page: http://mobilephonesecurity.org/tel/ This is safe to go to as it only has the code to display your IMEI. If you visit this page on a phone browser, this page should open the dialler and pre-fill the dial string with *#06# ready for you to hit send. If your phone is vulnerable you will just see the IMEI displayed, that is the phone has immediately dialled this string.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: